Characterization of Program Behavior under Faulty Instruction Encoding
Table 2
Examples of realigned, preserved, and invalid categories.
Category
Before fault injection
After fault injection
Description
Encoding
Assembly
Encoding
Assembly
Realigned
85 C0
TEST EAX, EAX
05 C0 74 12 B8
ADD EAX, 0xB81274C0
The most significant bit of the first instruction is changed to 0. The fault changes the length (2 bytes) of first instruction into 5 bytes. The subsequent instructions are also affected. The immediate of MOV EAX, 0x0 is interpreted as two ADD instructions.
74 12
JZ
00 00
ADD [EAX], AL
B8 00 00 00 00
MOV EAX, 0x0
00 00
ADD [EAX], AL
Preserved
85 C0
TEST EAX, EAX
84 C0
TEST AL,AL
The fault changes the operand EAX in the original instruction into AL. The length of the first instruction remains 2 bytes, and thus, the consequent JZ instruction is unaffected.
74 12
JZ
74 12
JZ
Invalid
85 C0
TEST EAX, EAX
8D C0
(cannot be decoded)
The encoding 8D C0 cannot be decoded. The fault incurs an illegal instruction exception.